Cisco ISE Profiling Policy

If an endpoint matches multiple Profiling Policies and each one of the Profiling Policies creates a new and unique Identity Group which Identity group will the endpoint be profiled into. My understanding is that an endpoint can only be profiled into a unique Identity Group. Another way of wording the question is, are the Profiling policies matched top down or some other way? thanks in advance.

No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.
I hope this makes sense
Thank you for rating helpful posts!

Similar Messages

  • Cisco ISE feeding policy

    Hi all,
    I changed something in the profile for windows 8 on Cisco ISE.
    then i configured Cisco ISE to dynamically update the feeding policies. but when the update is done. I receive the below message
    Feed Version 1 policies downloaded.
    Total number of feed polices to apply are 1.
    Feed policies total 1 skipped.
    Feed policies warning message : Workstation:Microsoft-Workstation:Windows8-Workstation has been changed by admin.
    *** This message was generated by Cisco Identity Services Engine (ISE) ***
     how can I reset the change I did to get all feed policies updated?
    Regards,
    Maher

    I have the same problem.
    Apparently if you inadvertantly save a "Cisco Provided" profiler policy without making any changes it is changed from "Cisco Provided" to "Administrator Modified". If the profiler feed service then tries to update that policy it fails with the warning that the policy has been modified by the admin.
    There does not appear to be any way to restore "Cisco Provided" profiler policies to their default state.
    Does anyone have a solution for this?

  • Cisco ISE auth policy based on Active Directory domain membership

    I am currently testing the Cisco ISE product and I am trying to find a way to assign an authorization policy based on domain membership.  Our company sorts standard users and project team member into different domains so it seemed like the ideal thing to sort with.  Unfortunately, I am no AD expert and there are a mind boggling number of conditions/expressions to choose from.  I figured I would be the first person to try this.  What have other done to solve this problem?
    I have tried using the memberOf attribute and matching to .*(domain).*  Basically looking to see if memberOf contains the domain name.  It works for machine authentication, but when I log it the system cannot find my account info for some reason and boots me to the guest vlan.
    Thank you.

    Are the two sets of users actually residing on two separate and independent domains? If so then that is probably where your problem is as ISE can only integrate with a single domain. If you have multiple domains then there must be a trust relationship between them. Another solution is to use LDAP integrations as there is not a limit with LDAP integrations.
    Thank you for rating!

  • Cisco ISE profiling - Split Corporate/Guest access

    Hello all,
    I currently deploying a Cisco ISE for my wireless network and I would like to split my WLAN in two different "authorization profile" : Guest and Corporate.
    For the moment, I use my active Directory to authenticate users and profiling to authorize device with the hostname. I would like to classify by domain name with DHCP probe but I can't because there is alway a DHCP message response with the domain name given by the DHCP server, do you have a solution to separate device with domain name or with other attributes ?
    Thanks in advance for your answer!

    Thanks for your answer salodh,
    I've already done two authorization profiles (Guest and corporate) based on rule using Active Directory and profiling condition but I would more profiling conditions (not only hostname) to split clearly corporate and guest devices.

  • ISE profiling policy

    hi forummers'
    i would like to ask i can create profiling policy in order to reduce overall load generate from policy service node.
    example
    Workstation
    - unique atrributes : MAC address
    - probed used        : RADIUS
    - collection method : RADIUs authentication
    Apple iPhone
    - unique atrributes : OUI
    - probed used        : RAIUS
    - collection method : RADIUs authentication
    Thanks
    Noel

    Noel,
    Can you please describle how you want to reduce the load on the policy service node? To create a profiling policy for workstations the mac address should work however for the apple iphones you will need more than just the apple OUI since the macbook, ipads and imacs all share the OUI for apple, you will need to use either the http user agent string to detect this is the OUI, and that is done by setting a default rule to the redirect page so this can happen.
    Let me know if this what you are looking for.
    Thanks,
    Tarik Admani

  • Cisco ise profiling -lldp med information

    Hi All
    We got few IP phones which uses lldp MED information to sent its system descriptions, type etc to the switch. These lldp med information can be seen in the Cisco switch, but when ISE does profiling using the snmpquery probe for these endpoints only limited lldp information is shown (lldp cache capability etc)
    Do we have to update any lldp -MIB in ise or has anyone come across this issue?
    Thanks
    G

    The list of all lldp-MIB by ISE is here
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mib.html#84224

  • Did Cisco ISE have limitation for policy setting?

    Deat All,
    Did anyone know about Cisco ISE limitation about policy setting?
    Right now my setting for windows posture policy around 200 windows patch checking, did ISE have limitation such as maximum windows patching policy line?
    Thanks you
    Best Regards

    Here is the nswer for your first question.
    Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
    To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
    Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
    Forwarder—The main ingress queue of endpoint information collected by the profiler.
    Event Handler—An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
    For more information go through :
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#12624

  • Cisco ISE - What does "Multiple Matched Rule Applies" mean?

    Hi,
    In Cisco ISE authroiztion policy configuration, what does the option "multiple matched rule applies" mean? I can understand the "first matched rule", but in "multiple matched rule" how is the "permissions picked if multiple rules match? Or, what is the logic involved in picking up the permissions, if multiple rules are matched in authorization policy.
    No where in cisco document I see any explaination for this.
    Would appreciate if any one can point me to  a document or explain me the login in selecting the persmissions if multiple rules are matched. Also, what would the use-case for this?
    Thanks and Regards,
    Mohan

    I agree with tarik & also this might be helpful for you:
    An authorization policy can  consist of a single rule or a set of rules that are user-defined. These  rules act to create a specific policy. For example, a standard policy  can include the rule name using an If-Then convention that links a value  entered for identity groups with specific condition(s) or attributes to  produce a specific set of permissions that create a unique  authorization profile. There are two authorization policy options you  can set:
    •First Matched Rules Apply
    •Multiple Matched Rule Applies
    These two options direct Cisco ISE  to use either the first matched or the multiple matched rule type  listed in the standard policy table when it matches the user's set of  permissions. These are the two types of authorization policies that you  can configure:
    •Standard
    •Exception
    Standard policies are policies  created to remain in effect for long periods of time, to apply to a  larger group of users or devices or groups, and allow access to specific  or all network endpoints. Standard policies are intended to be stable  and apply to a large groups of users, devices, and groups that share a  common set of privileges.
    Standard policies can be used as  templates in which you modify the original values to serve the needs of a  specific identity group, using specific conditions or permissions to  create another type of standard policy to meet the needs of new  divisions, or groups of users, devices, or groups in your network.
    By contrast, exception policies  are appropriately named because this type of policy acts as an exception  to the standard policies. Exception polices are intended for  authorizing limited access that is based on a variety of factors  (short-term policy duration, specific types of network devices, network  endpoints or groups, or the need to meet special conditions or  permissions or an immediate requirement).
    Exception policies are created to  meet an immediate or short-term need such as authorizing a limited  number of users, devices, or groups to access network resources. An  exception policy lets you create a specific set of customized values for  an identity group, condition, or permission that are tailored for one  user or a subset of users. This allows you to create different or  customized policies to meet your corporate, group, or network needs.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

  • Pages in Cisco ISE 1.2 says Error code WAP00008.

    When i am trying to access Cisco ISE
    Pages Policy>Policy Elements>Dictonaries
    i get the following error on firefox(MAC)
    There was an error while parsing and rendering the content. (node.getAttribute is not a function)
    Error code WAP00008.
    Error on Chrome(MAC)
    There was an error while parsing and rendering the content. (Object # has no method 'getAttribute')
    Error code WAP00008.
    it works fine on IE(windows) and firefox
    but gives the same error on Chrome,
    Any one else facing the same issue ?

    This now seems to be across Firefox and Chrome on both Mac and Windows OS systems.. Cisco need to make sure there products can work with the updated browsers as customers cannot be expecetd to always roll back a browser version to fix a problem..... Does anyone know what the root cause might be for this issue ? Java plugins ? so customers can get a solution to allow administration of ISE across OS platforms and Browsers...

  • Cisco ISE Profling BYOD

    What happens with devices that are not in the list of Cisco ISE profiling?
    For example I have android Alcatel devices and are not recognized.
    I have just the ISE solution implemented without MDM and I have to add the device manually, is there any way to create a profiling for all devices of a specific brand?
    I updated the profiling frequently but the problem persists.

    Duplicate post, go here

  • Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

    Hi All,
    We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
    1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
    RADIUS Probe 
    SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
    2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
     - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
    - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
    For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
    That would be really great if any one can help me on the same.
    Thanks & Regards
    Pranav

    Hi Pablo ,
    Please find below solutions 
    Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
    Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
    Regards
    Pranav

  • ISE won't match configured profiling policy

    I'm trying to match Cisco LAPs (any kind of) using profiling in my AuthZ policies, yet the specific AP (a 1252 model) always gets profiled as 'Cisco-Aironet-AP-1250' instead of the desired, more generic 'Cisco-AIR-LAP' policy. To change this behaviour, I've tried to work with a simple match ('LLDP:lldpSystemDescription CONTAINS K9W8') and give this policy a high certainty factor of 150, yet it doesn't work.
    How can I force any kind of LAP (that must not contain any autonomous AP) to get profiled in a generic LAP policy which I can use in an AuthZ policy?
    I'm using ISE 1.2, patch 6.
    Thanks, Toni

    Hi, thanks for your reply. That's almost a winner...meanwhile, I escalated this to TAC. Basically, attribute value "cisco AIR-LAP" would do, but there's a bug that needs to be considered with ISE 1.2, patch 6:
    https://tools.cisco.com/bugsearch/bug/CSCuo78457

  • Can we download ISE Pofile Policy from Cisco?

    The ISE comes with certain  profile policies. Can we download the profile policy from Cisco as new devices come into the market?

    Yes, you can.  jan.nielson is correct that the Profile Feed Service will allow for this.  Be advised that the Feed Service does require a Plus license for activation.  Here is a snippet from the ISE 1.3 Admin Guide:
    To activate the Feed Service, go to Administration > Feed Service > Profiler.  Enable the checkbox for Enable Profiler Feed Service, fill out the rest of the options (optional) and click Save.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Cisco ISE and ATA 188 profiling.

    I have tried to profile cisco ATA 188 adapter, based on cdp attribute;
    Platform: Cisco ATA 188
    and assigned to a create a same identity group. I am not able to see device profiled according to identity group assigned. Instead of it its always assigned to "cisco - device" group.
    On cisco switch side, i am seeing device being in data domain instead of voice domain, but strange enough its getting ip address from voice dhcp pool. If dot1x configs are not applied on port device is getting ip address from voice vlan and working fine.
    Any suggestion for this case?

    Can you post a screenshot of the custom profiling policy that you configured?
    Also, what version of code do you run on the switch and ISE

  • Cisco ISE Anyconnect Profile editor

    I want to wired user's authenticate from ISE device and  to use authentication protocol EAP_FAST. In PC need to install Cisco Anyconnect Profile Editor.
    where and how i get anyconnect profile editor.
    Thanks.

    It's one of the packages listed in the AnyConnect download location.
    Go here and click on Download Software.

Maybe you are looking for